hedgehog-iso-build-docker-wrap-push-ghcr.yml

name: hedgehog-iso-build-docker-wrap-push-ghcr

on:
  push:
    branches:
      - main
      - development
    paths:
      - 'hedgehog-iso/**'
      - 'shared/bin/*'
      - '.trigger_iso_workflow_build'
      - '.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml'
  workflow_dispatch:
  repository_dispatch:

jobs:
  build:
    runs-on: ubuntu-22.04
    permissions:
      actions: write
      packages: write
      contents: read
      security-events: write
    defaults:
      run:
        shell: bash
    steps:
      -
        name: Cancel previous run in progress
        uses: styfle/cancel-workflow-action@0.12.1
        with:
          ignore_sha: true
          all_but_latest: true
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: |
            image=moby/buildkit:master
      -
        name: Build environment setup
        run: |
          sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
          sudo rm -rf \
            "$AGENT_TOOLSDIRECTORY" \
            /opt/ghc \
            /usr/lib/jvm \
            /usr/local/.ghcup \
            /usr/local/lib/android \
            /usr/local/share/powershell \
            /usr/share/dotnet \
            /usr/share/swift >/dev/null 2>&1 || true
          sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y update >/dev/null 2>&1
          sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge remove \
            azure-cli \
            dotnet* \
            firefox \
            google-chrome-stable \
            google-cloud-cli \
            microsoft-edge-stable \
            mono-* \
            mysql* \
            postgresql* \
            powershell \
            temurin*  >/dev/null 2>&1 || true
          sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge autoremove >/dev/null 2>&1 || true
          sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -q \
               apt-transport-https \
               bc \
               build-essential \
               ca-certificates \
               curl \
               debhelper-compat \
               debian-archive-keyring \
               debootstrap \
               genisoimage \
               gettext \
               git \
               gnupg2 \
               imagemagick \
               jq \
               po4a \
               rsync \
               software-properties-common \
               squashfs-tools \
               virt-what \
               xorriso
          git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build
          cd /tmp/live-build
          dpkg-buildpackage -b -uc -us
          cd /tmp
          sudo dpkg -i /tmp/live-build*.deb
          sudo rm -rf /tmp/live-build /tmp/live-build*.deb
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Extract branch name
        shell: bash
        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
        id: extract_branch
      -
        name: Extract commit SHA
        shell: bash
        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
        id: extract_commit_sha
      -
        name: Extract Malcolm version
        shell: bash
        run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
        id: extract_malcolm_version
      -
        name: Build image
        run: |
          sudo rm -rf ${GITHUB_WORKSPACE}/.git
          cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./malcolm-iso/htpdate ./hedgehog-iso
          cp ./scripts/malcolm_utils.py ./hedgehog-iso/shared/bin/
          cp ./scripts/documentation_build.sh ./hedgehog-iso/docs/
          mkdir -p ./hedgehog-iso/suricata
          cp -r ./suricata/rules-default ./hedgehog-iso/suricata/
          mkdir -p ./hedgehog-iso/nginx
          cp -r ./nginx/landingpage/css ./hedgehog-iso/nginx/
          cp -r ./nginx/landingpage/js ./hedgehog-iso/nginx/
          pushd ./hedgehog-iso
          echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
          echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
          echo "${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/maxmind_url.txt
          echo "${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/zeek_url.txt
          echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot
          echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot
          echo "BUILD_JOBS=2" > ./shared/environment.chroot
          sudo /usr/bin/env bash ./build.sh
          rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md ./suricata
          sudo chmod 644 ./hedgehog-*.*
          popd
      -
        name: Run Trivy vulnerability scanner
        if: ${{ matrix.platform == 'linux/amd64' }}
        id: trivy-scan
        uses: aquasecurity/trivy-action@0.28.0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
        with:
          scan-type: 'fs'
          scan-ref: './hedgehog-iso'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          vuln-type: 'os,library'
          hide-progress: true
          ignore-unfixed: true
          exit-code: '0'
      -
        name: Upload Trivy scan results to GitHub Security tab
        if: ${{ matrix.platform == 'linux/amd64' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
      -
        name: ghcr.io login
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build and push ISO image
        uses: docker/build-push-action@v5
        with:
          context: ./hedgehog-iso
          push: true
          provenance: false
          tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}